Formal contractual arrangements that include compliance with information governance requirements, are in place with all contractors and support organisations

14.1-111

Employment contracts which include compliance with information governance standards are in place for all individuals carrying out work on behalf of the organisation

14.1-112

Information Governance awareness and mandatory training procedures are in place and all staff are appropriately trained

Confidentiality and Data Protection Assurance

14.1-200

The Information Governance agenda is supported by adequate confidentiality and data protection skills, knowledge and experience which meet the organisation’s assessed needs

14.1-201

The organisation ensures that arrangements are in place to support and promote information sharing for coordinated and integrated care, and staff are provided with clear guidance on sharing information for care in an effective, secure and safe manner

14.1-202

Confidential personal information is only shared and used in a lawful manner and objections to the disclosure or use of this information are appropriately respected

14.1-203

Patients, service users and the public understand how personal information is used and shared for both direct and non-direct care, and are fully informed of their rights in relation to such use

14.1-205

There are appropriate procedures for recognising and responding to individuals’ requests for access to their personal data

14.1-206

Staff access to confidential personal information is monitored and audited. Where care records are held electronically, audit trail details about access to a record can be made available to the individual concerned on request

14.1-207

Where required, protocols governing the routine sharing of personal information have been agreed with other organisations

14.1-209

All person identifiable data processed outside of the UK complies with the Data Protection Act 1998 and Department of Health guidelines

14.1-210

All new processes, services, information systems, and other relevant information assets are developed and implemented in a secure and structured manner, and comply with IG security accreditation, information quality and confidentiality and data protection requirements

Information Security Assurance

14.1-300

The Information Governance agenda is supported by adequate information security skills, knowledge and experience which meet the organisation’s assessed needs

14.1-301

A formal information security risk assessment and management programme for key Information Assets has been documented, implemented and reviewed

14.1-302

There are documented information security incident / event reporting and management procedures that are accessible to all staff

14.1-303

There are established business processes and procedures that satisfy the organisation’s obligations as a Registration Authority

14.1-304

Monitoring and enforcement processes are in place to ensure NHS national application Smartcard users comply with the terms and conditions of use

14.1-305

Operating and application information systems (under the organisation’s control) support appropriate access control functionality and documented and managed access rights are in place for all users of these systems

All transfers of hardcopy and digital person identifiable and sensitive information have been identified, mapped and risk assessed; technical and organisational measures adequately secure these transfers

14.1-309

Business continuity plans are up to date and tested for all critical information assets (data processing facilities, communications services and data) and service - specific measures are in place

14.1-310

Procedures are in place to prevent information processing being interrupted or disrupted through equipment failure, environmental hazard or human error

14.1-311

Information Assets with computer components are capable of the rapid detection, isolation and removal of malicious code and unauthorised mobile code

14.1-313

Policy and procedures are in place to ensure that Information Communication Technology (ICT) networks operate securely

14.1-314

Policy and procedures ensure that mobile computing and teleworking are secure

14.1-323

All information assets that hold, or are, personal data are protected by appropriate organisational and technical measures

14.1-324

The confidentiality of service user information is protected through use of pseudonymisation and anonymisation techniques where appropriate

There is consistent and comprehensive use of the NHS Number in line with National Patient Safety Agency requirements

14.1-402

Procedures are in place to ensure the accuracy of service user information on all systems and /or records that support the provision of care

14.1-404

A multi-professional audit of clinical records across all specialties has been undertaken

14.1-406

Procedures are in place for monitoring the availability of paper health/care records and tracing missing records

Secondary Use Assurance

14.1-501

National data definitions, standards, values and data quality checks are incorporated within key systems and local documentation is updated as standards develop

14.1-502

External data quality reports are used for monitoring and improving data quality

14.1-504

Documented procedures are in place for using both local and national benchmarking to identify data quality issues and analyse trends in information over time, ensuring that large changes are investigated and explained

14.1-515

There is a robust programme of internal and external data quality audit

Corporate Information Assurance

14.1-601

Documented and implemented procedures are in place for the effective management of corporate records

14.1-603

Documented and publicly available procedures are in place to ensure compliance with the Freedom of Information Act 2000

14.1-604

As part of the information lifecycle management strategy, an audit of corporate records has been undertaken